3.2.1. release making requests to several websites

[guncebektas]

Details

The 3.2.1 sending requests to several website such as http://trolltech.com this seems suspicious. Besides that we checked 3.4.4.

This kind of actions are not found but 3.4.4 has some email activities to ericm@scripts.com, bach@mwgdn.com etc...

` Execution Arguments: "c:\windows\temp\UpdateSQLiteStudio.exe"

Label: UpdateSQLiteStudio.exe

Date Added: 2023-10-25 12:22:43 (UTC)

File Type: PE32:win32:gui

File Size: 19903536 bytes

MD5: 4cd39fa848a0b8834c63b0e7cdf00259

SHA256: 9626d21a1421a3e46c4e7f1e631bdcccd323f9d812653a0b981dc48e4d040635

6 Contains links to suspicious hosts

5 Connects to a placeholder site

4 Checks whether debugger is present

4 Contains compressed or encrypted data or code

4 Imports library functions that can be associated with process injection

3 T1057 - Process Discovery (Enumerates processes and threads) [MITRE-ATTCK]

2 PE: Nonstandard section

2 T1056.004 - Possible API Hooking using SetWindowsHook [MITRE-ATTCK]

2 T1106 - Native API [MITRE-ATTCK]

Static Events

Email Address: appro@openssl.org

Compiler: Contains indicators of the Microsoft Visual C++ compiler

OpenSSL: Contains indicators of the OpenSSL library

UserAgent: Mozilla/5.0

Anomaly: Contains serveral document extensions

Anomaly: PE: Contains one or more non-standard sections

Web reputation: http://bugreports.qt.io/ [Computers/Internet]

Web reputation: http://trolltech.com/xml/features/report-whitespace-only-CharData [Suspicious; Placeholders]

Web reputation: http://qt-project.org/xml/features/report-whitespace-only-CharData [Computers/Internet]

Web reputation: http://trolltech.com/xml/features/report-start-end-entity [Suspicious; Placeholders]

Web reputation: http://qt-project.org/xml/features/report-start-end-entity [Computers/Internet]

Web reputation: http://www.phreedom.org/md5 [Computers/Internet]

Web reputation: http://bugreports.qt.io/

Web reputation: http://trolltech.com/xml/features/report-whitespace-only-CharData

Web reputation: http://qt-project.org/xml/features/report-whitespace-only-CharData

Web reputation: http://trolltech.com/xml/features/report-start-end-entity

Web reputation: http://qt-project.org/xml/features/report-start-end-entity

Web reputation: http://www.phreedom.org/md5

Process/Thread Events

Queries information: Enumerates running processes and threads

Calls function: user32.dll:CreateWindowEx

Calls function: user32.dll:SetWindowsHookEx

Creates process: C:\windows\temp\UpdateSQLiteStudio.exe ["C:\windows\temp\UpdateSQLiteStudio.exe" ] `

Steps to reproduce

Make inspection by Content Analysis by Symantec

Operating system

Window

SQLiteStudio version

3.2.1

[pawelsalawa]

Querying trolltech.com seems normal, as SQLiteStudio uses Qt framework for autoupdates and I guess it checks for Qt updates there too (even if they are not used).

I'm not sure what do you mean by "email activity". Are you implying, that SQLiteStudio is sending emails? Using what SMTP server?

[guncebektas]

3.4.4 is not visiting those urls, is this behavior expected for 3.4.4?

Our security team's report contains warning for 3.4.4 as

BitRock InstallBuilder

ericm@scriptics.com

bach@mwgdna.com

loewerj@hotmail.com

rolf@pointsman.de

mmclennan@lucent.com

peter@pdqi.com

And visits for

http://timestamp.apple.com/ts01 [Computers/Internet]

http://support.micr [Unrated]

http://download.bitrock.com/feedback.php [Computers/Internet] http://jschmoe:xyzzy@www.bogus.net:8000/foo/bar.tml?q=foo#changes [Unrated] https://update.bitrock.com/api/1_0 [Computers/Internet] http://blogs.msdn.com/oldnewthing/archive/2003/08/21/54675.aspx [Computers/Internet] http://www.iana.org/assignments/character-sets [Computers/Internet] http://blogs.msdn.com/b/oldnewthing/archive/2004/01/30/65013.aspx [Computers/Internet] http://www.apple.com/DTDs/PropertyList-1.0.dtd [Computers/Internet] http://forum.java.sun.com/thread.jspa?threadID=426291&messageID=1997063 [Computers/Internet] http://www.activestate.com/tcl/ [Computers/Internet] http://tkcon.sourceforge.net/ [Computers/Internet; Web Applications]

[pawelsalawa]

InstallBuilder is the installation framework used in 3.4.x - https://installbuilder.com/ I don't know anything about these emails. Is SQLiteStudio trying to send emails to these addresses (and how)? Or did you just find these addresses as text by analyzing binary contents? In that case - why even to bother?

[guncebektas]

Our security team is inspecting. I couldn't see those email addresses as plain text maybe obfuscated by a tool in your build pipeline.

Not sure if there is an outgoing email. I will share updates.

In general I'm expecting to see similar results on similar versions as there isn't any major version change. If you are saying it's normal than it's normal.

[pawelsalawa]

Version 3.2.x used Qt installer/updater, while 3.4.x uses InstallBuilder, so the reports you provided are different and it's expected.

The email addresses are not obfuscated (binary-encoded?) by me, but probably already by the InstallBuilder team, because I use official binaries provided by InstallBuilder.

Nevertheless, if nothing is sent to these emails, I don't see anything to worry about. If some emails are sent, I would be happy to know that too ;) And I would reach out to the InstallBuilder team if they know anything about it.

[guncebektas]

We couldn't find sent emails but it will always create some noises as mine :)